Tangled Data Protection Laws Threaten Cloud, Critics Say

Technology group calls for "Geneva Convention" to address complex maze of data laws that affect growth of cloud computing and global trade.

As IT leaders get more comfortable moving their data operations into the cloud, concerns are growing about conflicting international laws that govern data generated in one country and stored in another.

Policymakers around the world are fueling those concerns. Anxious to protect data privacy and security, they are advocating requirements to store certain types of data domestically, says Daniel Castro, a senior analyst with the Information Technology and Innovation Foundation.

Those policies, however, are not only creating headaches for technology managers moving data across the globe, they're also bumping up against delicate free trade agreements that involve senior government officials well beyond the reach of the typical CIO's office.

"We're finding that companies are being caught in the middle [between conflicting privacy and security laws]," said Castro in an interview with InformationWeek. The economic stakes have grown so significant that the ITIF recommended this week that the US and its trade partners develop a "Geneva Convention" to address the conflicts and what appears to be a growing wave of "data nationalism."

"The notion that data must be stored domestically to ensure that it remains secure and private is false," says Castro. But, he warned, "Misunderstandings about the security and privacy of data are resulting in policies that negatively affect innovation, productivity, trade, and consumer welfare."

In an effort to clarify the current state of international data laws and help avert a movement toward more protectionist policies, the ITIF released a position paper on Dec. 9 entitled "The False Promise of Data Nationalism." In it, Castro notes that exports of digitally enabled services from the US alone totaled $356 billion in 2011, a five-fold increase since 2007.

At the same time, Castro argues, economies of scale for storing and processing data in large cloud computing facilities make it increasingly impractical and more expensive to restrict data to smaller datacenters located in different countries.

However, over the past few months, Castro says he has observed leaders in variety of countries "talking about data from the perspective of where it's stored being integral to privacy and protection." Part of what's elevating policymakers' concerns, he says, are revelations about US government surveillance practices, following the leak of National Security Agency documents.

At the heart of the legal debate over data protection is how countries apply different security standards to data and what data owners must do when certain types of data -- typically involving personally identifiable information -- are disclosed either inadvertently, voluntarily, or by government mandate.

Determining which laws govern the disclosure of data can be complicated. As Castro notes in his report, "Multiple countries may assert jurisdiction over data due to the nationalities of the individuals or organizations that own the data, the service providers storing the data, the individuals or organizations accessing the data... or where the data is stored."

While the global data policy debate might appear to be of remote concern to federal agencies, whose data are routinely processed and stored in US-based facilities, it does affect the multi-national cloud service providers agencies rely upon, which bear the economic costs and legal uncertainties of international data laws.

Microsoft executive vice president and general counsel Brad Smith has been barnstorming the globe, calling on governments, particularly in Europe, to establish greater uniformity in how cloud computing companies are regulated. The lack of uniformity makes it difficult to establish and execute contract terms and conditions with international customers.

"Governments must take steps to ensure that existing regulatory frameworks are suited to the cloud," he said in one of his earliest blog posts on the subject, nearly three years ago. Smith insists that cloud computing's potential to spur economic growth depends on governments getting involved in developing "more balanced and predictable rules governing cloud vendors" and facilitating easier movement of data across borders while maintaining legal protection for consumers.

From the ITIF's view, the need to resolve data handling rules goes beyond cloud computing and to the larger issue of international trade, which increasingly depends on the free movement of data around the world.

"What people don't realize is this isn't something technology companies can address by themselves," Castro says. "There's a tremendous economic impact if governments don't get involved in dealing with data protection laws -- or worse, take an isolationist's approach to Internet governance and trade."

Wyatt Kash is editor of InformationWeek Government. He has been covering technology trends in government since 2004.

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)

The complexities are immense, and getting more so. Reminds me of what Amazon (the retailer vs the web services provider) faces in dealing with 50 state tax laws and the finer points of having a physical presence. In this case, it would be like trying to decide whose laws apply depending on A) who bought the product + who made the product + who shipped the product + who invoiced the product + who carried the product + which distribution centers and trucks did the product sit in during transit + who received the product, etc.

The document from ITIF mentioned here helps frame this more clearly. Check it out at: http://www2.itif.org/2013-false-promise-data-nationalism.pdf

My main concern around data protection as it relates to foreign-hosted assets is really about what happens in the case of a security incident. Should the government require involvement, due to a linkage to organized crime or piracy concerns, who dictates whether or not they can obtain access? For example, due to the higher availability of cloud services in the US, should a foreign company host data and the local government deem them to be a company of interest, who in the end gets to govern how assets can be accessed? That's going to be a key point when it comes to weighing the options of foreign hosted cloud services.

Ulf Mattsson, thanks for sharing your observations about tokenization as an approach to data privacy, and referencing the report from the Aberdeen Group, that indicated "...Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". We'll have to explore that further.

Microsoft, as you know, has a huge stake in the future of cloud adoption, as one of the world's leading cloud computing service providers, both in terms of its global infrastructure as well as its SaaS and PaaS platforms that operate in -- and carry data across - the cloud, ie. Office 360 and Azure. I can't speak for Smith. But I think his point would likely be, greater uniformity would help enterprises move to the cloud sooner. True, that lifts the tide for all boats, including Amazon and Google. But a boat the size of Microsoft is clearly going to benefit.

"The notion that data must be stored domestically to ensure that it remains secure and private is false". -Castro

For US companies, the NSA controversy would seem to support this assertion. However, this can be misleading as it focuses on the location aspect of the data rather than protecting accessibility of the data itself, which is the real issue here.

Whether your data is plundered by your own government, a foreign government, or a new government (say in the event of a coup), the point here really is that you can't control what governments do (directly). You can outsource your data and data functions to the cloud, but not the responsibilities. "Your" here can mean you personally or the company you work for.

Companies would need to implement their own encryption methods for data at rest in the cloud as well as data in transit when accessing that same cloud information. They should not trust the cloud provider to do this for them, as now you have the fox guarding the henhouse, so to speak. Example: One government coup, and the cloud provider may literally be forced to turn over the encryption keys at gunpoint. They can't do that if the keys are held by the owner of the data elsewhere, out of reach.

Will companies follow up with the requisite encryption? Consider: 1) the costs of acquiring and managing that technology, 2) slower response time of cloud providers serving up data as it's constantly being encrypted/decrypted on the fly [for some businesses, fractions of a second do count], 3) the likelihood, large or small, that at least one competitor will omit doing this as a "cost saving action" to gain an edge on the competition - until the first breach happens, exposing this high-risk behavior. Weigh that against the risk of a data seizure attempt occurring (hint: if the data is out in the cloud long enough, that risk approaches 100%).

Wyatt, Why has Microsoft dispatched Smith on this barnstorming tour? What's its big stake in establishing greater uniformity in how cloud computing companies are regulated? Yes, it will help with international contracts, but it seems of equal or greater benefit to Amazon and Google.

How to store data outside the domestic borders and at the same time be compliant to regulations

I agree that "The notion that data must be stored domestically to ensure that it remains secure and private is false".

It is actually easy to store data outside the domestic borders and at the same time be compliant to regulations and also ensure that the data remains secure and private.

I found interesting projects that addressed the challenge to protect sensitive information about individuals in a way that will satisfy European Cross Border Data Security requirements.

One project included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated in one european country. The project achieved targeted compliance with EU Cross Border Data Security laws, Datenschutzgesetz 2000 - DSG 2000 in Austria, and Bundesdatenschutzgesetz in Germany by using a data tokenization approach, protecting the data before sending and storing it in the cloud.

This new approach to data privacy is described in a report from the Aberdeen Group. The report revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data.

The name of the study is "Tokenization Gets Traction". Aberdeen has also seen "a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data".

Completely agree with the complexity created by country & state specific regulations mandating that PII be stored and proccesed in defined jurisdictons. Cloud Data Control Gateways, part of a framwork taht Gartner refers to as Cloud Access Security Brokerage services can help. Products like PerspecSys allow organizations to keep the subseyt of regulated data local in the Datacenter, and only surrogate tokens or encrypted values leave to go to the cloud. They own the token vault or encrypton keys. End users are not aware the gateway is in place behind the scenes - they have full use of the cloud.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.

Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."